SmokeLoader Malware Found Spreading via Fake Meltdown/Spectre Patches

In early January, researchers revealed the technical details of Meltdown and Spectre, two vulnerabilities found in modern CPUs. The researchers said that billions of devices were at risk, allowing malicious apps to access data as it is being processed. While chip makers and vendors were alerted of the threats last year, some of them began work on patches several months ago but waited for a coordinated public disclosure set. Apple, Microsoft, and Google have deployed the necessary patches to prevent further damage from these attacks.

Meltdown affects Intel processors and allows hackers privileged access to parts of a computer memory used by an application or program and the operating system. On the other hand, Spectre affects processors such as Intel, Advanced Micro Devices (AMD), and Advanced RISC Machine (ARM), permitting attackers to steal information in the kernel/cached files or data such as passwords and login keys of running programs stored in the memory.

However, users should be careful when downloading patches as cybercriminals are already taking advantage of the news surrounding Meltdown and Spectre. One type of malware that is targeting German users is the SmokeLoader malware which was spotted following a warning given by German authorities on phishing emails.

These emails come from the German Federal Office for Information Security (BSI). According to researchers, the domain contains an SSL-enabled phishing site that is not affiliated with any legitimate government entity but tricks users into installing malware. The website has a page that links to resources on Meltdown and Spectre, but also contains links to a ZIP archive with malware. Once a user downloads and runs the file, SmokeLoader is installed. It then downloads and runs additional payloads. Researchers also said that the malware attempts to connect to various domains and sends out encrypted information.

Beware of malicious email attachments

In some Business Email Compromise (BEC) attacks, attached files no longer contain executables but HTML pages. Because anti-spam can flag suspicious-looking emails that contain executable files, HTML is harder to detect, as it poses no immediate threat unless the page is verified to be a phishing page. Moreover, phishing pages can easily be coded and deployed and can run on any platform.

While phishing remains one of the oldest scams on the internet, it is still a significant problem for individuals and organizations. In fact, the Phishing Working Group reported that the second quarter of 2016 had the most number of unique phishing sites detected.

2017 MIDYEAR SECURITY ROUNDUP

2018 SECURITY PREDICTIONS

Today's increasingly interconnected environments pave the way for threats that will bank on systems' weaknesses for different forms of cybercrime. How can you prepare for the year ahead?View the 2018 Security Predictions